Red tape tangles epidemiology

Scientists on both sides of the Atlantic say privacy bureaucracy is hindering research

By Stephen Pincock | January 31, 2006

British epidemiologists are finding themselves increasingly tangled in a web of bureaucracy that makes accessing patient data difficult and time-consuming, the Academy of Medical Sciences said in a recent report. Their concerns echo the experiences of their American colleagues, some of whom continue to experience problems stemming from new U.S. privacy legislation.
"There is no doubt that there is a genuine and systematic problem in the UK," Robert Souhami, chairman of the working group that produced the British report, told The Scientist. "What the researchers are saying first of all is that when they come to put forward a research project [involving patient health records], they're meeting with widespread and often contradictory advice about the legality and confidentiality of their research."
Specifically, researchers are finding themselves delayed or blocked altogether by a plethora of regulatory bodies who interpret the 1998 UK Data Protection Act or other confidentiality rules in conflicting and often overly restrictive ways, Souhami and his coauthors write.
Particular difficulties arise in cases when data cannot be fully and irreversibly anonymized, and when researchers cannot obtain informed consent from all those whose data they are using, Souhami said. For example, he said, one group of researchers who conducted a study in 2000 examining the risk of cancer in Gulf War victims were "flatly turned down" in 2005 when they wanted to re-run the study, Souhami said. "They were told it was an invasion of privacy."
"There are studies where we've gone to almost 200 committees," Anthony Swerdlow, an epidemiologist from the Institute for Cancer Research, told The Scientist. "There have been aspects of studies that have not been possible, and there are now routinely large delays in almost everything." These difficulties mean researchers are not even attempting to conduct research they might once have done, he said.
The report calls for regulators to communicate better with one another and come up with more consistent guidelines for this area of research.
The Lancet weighed in on the issue last week, noting in an editorial that public education is the key to ending stifling bureaucracy that hinders researchers in the UK and US. "Better public education about how research works and about the benefits that can accrue from investigation of population data is urgently needed, as is the need to convey the message that advances in diagnostics and therapeutics are being held up by bureaucratic regulation," the editorial said.
A spokeswoman for the UK's Department of Health told The Scientist the government agreed that too much red-tape was stifling medical research. "We would admit it is a problem, and we want to address that," she said. In fact, bureaucracy-busting was a major aim of a new research and development strategy launched last week, she said. "One of the key points was that we want to make it easier for people to do research using patient records."
Among the measures in the plan are "research passports" to avoid repetition of credential checks by different health authorities, and a national expert advice line to help researchers interpret privacy laws.
Meanwhile, in the US, some researchers say they are still feeling the impact of the introduction of a new federal law, the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA), designed to protect the privacy of medical records, which came into force in 2003. HIPAA establishes circumstances in which a treating physician can disclose a patient's personal health information, such as when making a claim for payment from a health plan. In other cases, the patient must provide written consent for the disclosure.
For Beate Ritz, a Parkinson's disease researcher at UCLA, the legislation had an immediate impact. "When HIPAA hit, the physicians in a network that I was working with became so rattled that they thought that any kind of referral of any information could be against the law," she told The Scientist. "They thought that even letting patients know about research could imply they were disclosing data." Like in the UK, the problem stems less from the law itself, and more from the advice being given by consultants brought in to help institutions deal with HIPAA, Ritz said.
Robert McLaughlin, Legal and Regulatory Affairs Officer for the Northern California Cancer Center, told The Scientist that different healthcare centers experienced confusion over HIPPA when it came to reporting data to the Greater Bay Area Cancer Registry. But researchers had "hammered out a pathway" through those confusions, McLaughlin said. "We had some major frustrations with HIPAA, and we had to work through them."
Roberta Ness, who heads the epidemiology department of the University of Pittsburgh Graduate School of Public Health, agreed that researchers have found ways to work around some problems created by HIPAA, but said that barriers to research still remain.
"One of the major problems is a tremendous variability between institutions in how HIPAA is interpreted," she told The Scientist. "The interpretation is local and in some cases idiosyncratic. For us that is a serious issue." One solution could be for HHS to publish its own interpretations, allowing institutions to feel comfortable they were not breaking the rules, she said.
So far, no such interpretations have been forthcoming. HHS officials did not respond to requests for comment by deadline.
The HIPAA rules also create particular difficulties for population-based studies, according to researchers. Before HIPAA came into force, Ritz used data gathered via Medicare as a source of random population samples to serve as controls. "Since HIPAA, that's not possible," she said. Now, researchers need to use an independent third party to approach individual Medicare patients and ask if they are willing to have their data used. The third party will only provide data from patients who have given permission, and will not say anything about those who refused.
As a result, the sample is no longer random, Ritz said. "It's an absolute nightmare, I'm just about to decide not to do research in the US any more," she said. "If you don't have a valid control group, you can't do epidemiology."
Stephen.pincock@journalist.co.uk
Links within this article
"Personal data for public good: Using health information in medical research," Academy of Medical Sciences, January 2006.
http://www.acmedsci.ac.uk/images/project/Personal.pdf
Robert Souhami
http://www.acmedsci.ac.uk/p59fid670.html
UK Data Protection Act
http://www.opsi.gov.uk/acts/acts1998/19980029.htm
Anthony Swerdlow
http://www.icr.ac.uk/epidem/AE/AetiologicalEpidemiology.htm
"Striking the right balance between privacy and public good," The Lancet, 367; 9507: 275. 28 January 2006
PM_ID: 16443017.
"Best research for best health ? a new national health research strategy," Department of Health, January 25, 2006.
http://www.dh.gov.uk/PolicyAndGuidance/ResearchAndDevelopment/ResearchAndDevelopmentStrategy/RDStrategyArticle/fs/en?CONTENT_ID=4127109&chk=RKJISx
HIPAA privacy rule and its impacts on research
http://privacyruleandresearch.nih.gov/
Beate Ritz
http://www.niehs.nih.gov/ccpder/ucla/ritz.htm
Greater Bay Area Cancer Registry
http://www.nccc.org/ResearchandTraining/research_gbareg.html
Roberta Ness
http://www.acepidemiology2.org/people/ness/index.asp